Layer 2 virtual private networks may be implemented in many ways. Some implementations include establishing Generic Routing Encapsulation (“GRE”) tunnels over IPsec tunnels, using the two layers of packet encapsulation, and prepending corresponding GRE headers and ESP headers to the original Ethernet packets. Since a total length of each of the resulting packets cannot exceed a certain length and since the GRE-ESP headers are usually long, some networks are unable to handle the packets with the prepended headers. One of the solutions to that problem is to divide the packets into small fragments and prepend the headers to the individual fragments. The process of dividing a packet into packet fragments is referred to as a packet fragmentation.
IP fragmentation is a process of dividing an original IP packet into multiple packet fragments, where each fragment has a size that is smaller than a size of the original IP packet. The IP fragmentation may be performed by various devices, and in one implementation it is performed by an edge service gateway. An edge service gateway may be a distributed logical router or a service gateway that is configured to provide network edge security and gateway services to machines and users. Examples of gateways are described later.
To perform an IP fragmentation on an IP packet, an edge service gateway determines a packet identifier for the packet. The packet identifier is usually determined during a GRE encapsulation which includes prepending the IP and GRE headers to the original packet. A packet identifier, also referred to herein as an Internet Protocol Identifier (“IPID”), is a packet sequence number that the gateway assigns to a received packet. For example, upon receiving a new packet, the gateway increments the packet identifier that was used for a previously received packet by one, and assigns the incremented identifier to the new packet. If the incremented identifier exceeds a certain limit, then the identifier is reset to zero. To continue with the IP fragmentation, the gateway divides the received packet into multiple packet fragments and stores the packet identifier in a header of each packet fragment.
However, since a typical header field for encoding a packet identifier includes only 16 bits, the identifiers can range from zero to (216−1). Once an identifier reaches 216, the identifier is reset to zero. Resetting an identifier, also referred to as an identifier wrapping, may occur in networks quite often. The example below illustrates a situation when the wrapping occurs 10 times per second: suppose that devices in a network are configured with a maximum transmission unit (“MTU”) of 1500, wherein a MTU corresponds to a maximum size of packets that the devices may handle. Suppose also that a GRE+ESP header is 100-byte-long, and a 10G uplink is configured to handle 800 k of packets having 1500 MTU per second. Therefore, a 16-bit-long identifier will be reset about 800 k/216 times per second, which is about 10 times per second.
Wrapping a packet identifier may have negative consequences, especially on a fragment-receiving side. When an edge service gateway receives packet fragments, it stores them in buffers and uses a packet identifier to reassemble the original packets. The fragments are placed into buffers based on the protocol numbers, the packet identifiers, and the source/destination address pairs included in the headers of the fragments. However, if a sender edge gateway included a wrapped packet identifier in the headers of some fragments of an original packet before the receiving gateway fully reassembled the original packet, then the fragments with the same packet identifier may belong to, or overlap, different original packets. This is referred to as an incorrect splicing, IPID overflow, or mis-associating the packet identifiers with the packets and the packet fragments.
Therefore, there is a need to solve the problem of the IPID overflow in computer networks.